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Abstract 



We propose a new homomorphic public-key cryptosystem over arbitrary non- 
identity finite group based on the difficulty of the membership problem for groups 
of integer matrices. Besides, a homomorphic cryptosystem is designed for the first 
time over finite commutative rings. 

1 Introduction 

1.1. The problem of constructing reliable cryptosystems for secret computations had been 
extensively studied last years (see [BIEIIIHIIIHEH!)- Generally, it consists in encryption of a 
circuit over an algebraic structure H (e.g. group, ring, etc.). One of possible approaches 
to it is to find a publically known algebraic structure G and a secret homomorphism 

*Partially supported by RFFI, grants, 03-01-00349, NSH-2251. 2003.1 and a grant of NATO. The 
author would like to thank the Mathematical Institute of the University of Rennes during the stay in 
which this paper was initiated. 
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/ : G — > H. If the inversion of / is efficiently computable and computing of / is a hard 
computational problem (i.e. / is a trapdoor function), one can design a homomorphic 
public-key cryptosystem in which an element h G H is encrypted by an element of the form 
ggh where g is a random element of ker(/) and f(gh) = h. Using such a cryptosystem one 
can efficiently implement a secret computation given by any circuit over the structure H. 
Some other applications of homomorphic public-key cryptosystems can be found in [21 El 
121] • We mention also that the group theory is a source of constructions (apart from 
homomorphic cryptosystems) in the cryptography, see e.g. [T3] ITol l2Ti] l2*T] 

It is well known that any boolean circuit of logarithmic depth can be efficiently simu- 
lated by a circuit over an arbitrary finite nonsolvable group, see j2] (another approach to 
encrypting boolean circuits was undertaken in |28j). Thus one of the first natural problems 
concerning secret computations is to design a homomorphic public-key cryptosystem over 
a finite group. The known examples of such systems include the quadratic residue cryp- 
tosystem (see O E]) over the group of order 2 and the cryptosystems (see ]221 I2H 1213) 
over some cyclic and dihedral groups. However, in these and some other cryptosystems 
the involved groups are solvable and so can not be used for the above cited simulation 
of boolean circuits. The first homomorphic public-key cryptosystem over an arbitrary 
nonidentity finite group was designed in |Ti] . 

It should be mentioned that the secrecy of all these cryptosystems was based on the 
difficulty of some problems closely related with that of integer factoring. However, "as 
long as factoring remains intractable, we are in a good position, but we are overinde- 
pendent on the computational complexity of one particular problem" j3T]. In addition, 
unlike factoring it is unknown whether there is a quantum machine which can decide the 
membership to a non-abelian matrix group, the problem on which relies the security of 
the cryptosystems in the present paper. In contrast to the cryptosystems based on the 
factoring problem the first main result of this paper is a new homomorphic public-key 
cryptosystem over arbitrary nonidentity finite group based on the difficulty of the mem- 
bership problem for groups of integer matrices (for details see Section Eland Theorem [23J- 

Theorem 1.1 For a nonidentity finite group H given by generators and relations one can 
choose a group G < GL 2 (Z) and a homomorphism f : G — > H to obtain a homomorphic 
public-key cryptosystem over H . 

We may think of H to be a finite small group. On the other hand, the infiniteness 
of G is not an obstacle for performing algorithms of encrypting and decrypting (for the 
latter using the trapdoor information) since they involve just calculations with integer 
2x2 matrices. In this connection we mention a public-key cryptosystem from |H] in 
which / was the natural epimorphism from a free group G onto the group H given by 
generators and relations. In this case for any element of H one can produce its preimages 
(encryptions) by inserting in a word (being already a produced preimage of /) from G 
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any relation defining H. In other terms, decrypting of / reduces to the word problem 
in H. In our approach the epimorphism / is given on specially chosen generators of an 
appropriate subgroup G of a free group F C GL 2 (Z), and the trapdoor consists in a 
polynomial-time algorithm (see Subsection 12.4)1 which allows one to represent an element 
of G (being an integer matrix) as a product of free generators of F. Publically in the 
cryptosystem from Theorem 11.11 a certain set of generators of G is exhibited, and the 
security of the cryptosystem relies on the difficulty (without knowledge of the trapdoor) 
of finding a representation of an element of G as a product of these generators, while 
in [D] an element of the free group G is given just by means of a product of its generators. 
(In fact, we keep a secret "good" basis of F which enables us to compute matrices of 
G easily; at the same time the public key is given by a "bad" basis of G for which the 
representation problem is supposedly hard.) 

We mention also that two public-key cryptosystems (being not homomorphic) based 
on the group SL 2 (Z) were suggested in [33) [33] which were subsequently broken in [3D) 14"). 
These cryptosystems were hiding the generators of a subgroup of SL 2 (Z) by means of 
conjugating them with a secret matrix. 

In |31llTo] two constructions of cryptosystems (being not homomorphic) were proposed 
with the difficulty of breaking relied on the word problem (in finitely generated groups). 
The common feature of both papers is that a public key is given by two words mo, mi 
and a family 1Z of words. Then encrypting of a bit % G {0, 1} is carried out by means 
of starting with m.j and subsequent random inserting polynomial number of times of the 
words from 1Z. Denote by G the group given by the relations 1Z. Then basically the 
trapdoor needs a solution of the word problem in G. To this end the epimorphisms of 
the form / : G — > H, provided that /(mo) ^ /(mi) were suggested such that the word 
problem in the group H is easy, thereby this epimorphism plays a role of a trapdoor. In 
[3T| the epimorphism / consists actually in adding some relations of commutativity of the 
generators. In ^3] as a group H is taken the Grigorchuk group with 4 generators (and 
being not finitely presentable) corresponding to a certain fast computable infinite word 
X- It is shown in [T3] that the word problem in this group is easy, thus x plays a role of 
a trapdoor. So, the principal difference of the cryptosystems proposed in [DJ [3TJ [T3] from 
our cryptosystem is that they perform calculations with words, whereas our cryptosystem 
deals with integer 2x2 matrices. 

It seems to be an interesting open question whether for a non-abelian group H there 
exists a homomorphic cryptosystem with a finite group Gl 

1.2. The second topic of this paper is devoted to homomorphic public- key cryptosys- 
tems over finite rings. This problem was first posed in [2D] (see also JD]) and in J5] it was 
demonstrated that a direct approach to it fails. At present there are only a few results in 
this direction. In particular, we mention the cryptosystem from [7] based on a homomor- 
phism from the direct sum of rings isomorphic Z. A finite version of this system [S] was 
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recently broken in PQ. As the second main result of this paper we present a homomorphic 
public-key cryptosystem over a finite commutative ring (for details see Section^. Before 
formulating it we recall that any finite commutative ring with identity is isomorphic to a 
direct sum of local rings (see [T9]). 

Theorem 1.2 Let R be a finite commutative ring with identity different from a direct 
sum of several copies of rings isomorphic to Z 2 . Then there exists a homomorphic public- 
key cryptosystem over R with respect to a homomorphism f : A — > R for an appropriate 
finite commutative ring A. 

In the cryptosystem of Theorem 11.21 the ring A is a group ring of a finite Abelian 
group G and / is the epimorphism induced by a suitable secret epimorphism from G to 
the multiplicative group of R. The only commutative rings for which any homomorphism 
of such kind is trivial, have trivial multiplicative groups, and so are the direct sums of 
copies of the ring Z 2 . Thus the natural open question is to find a homomorphic public- 
key cryptosystem over the ring Z 2 . The way we construct the ring A gives a bound on 
the cardinality of A being double exponential in the cardinality of R. This condition is 
essential in the following sense. As we will see in Section |H] any finite ring of exponential 
cardinality is a subring of the ring Mat(n, Z m ) of n x n matrices over Z m with n and logm 
bounded by polynomials. The latter construction of embedding a ring into a matrix ring 
is not efficient a priori, in fact, its efficiency depends on the way in which the ring is given. 
On the other hand, Theorem 13.21 states that the homomorphisms of the rings given as 
subrings of Mat(n, Z m ) can not be secret. 

It should be remarked that secret homomorphisms from Theorem 11.21 can not be used 
for encrypting circuits over rings due to its size. The problem of finding cryptosystems 
suitable for such encrypting as well as constructing secret homomorphisms over noncom- 
mutative finite rings are still open. Theorem 13 . 21 shows that if there exists a homomorphic 
public-key cryptosystem over a finite ring R with the cardinality of the ring A being ex- 
ponential in the cardinality of R , it should avoid explicit representing of A as a subring 
of some matrix ring Mat(n, Z m ). 

2 A homomorphic cryptosystem over a finite group 

Throughout the section for a finite set A we denote by Wx the set of all the words in 
the alphabet = X U A -1 . A word from Wx with no subword xx" 1 , x G X ± , is called 
irreducible. For an integer a G Z we denote by 1(a) the bit size of it; for S C Z we set 

2.1. Representation problem. Let T be a group and A be a finite subset of T. We 
are interested in the problem of finding an X -representation of an element g G G where 
G = (A) is a subgroup of T generated by A. By an A-representation of g we mean an 
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irreducible word w g G Wx such that 7r(w g ) = g where 7r is the epimorphism of the free 
group on X onto the group G with n\x = id. Obviously, if T is a free group on X, then 
G = r and each element of T has the unique X-representation. If w g = x^ 1 ■ ■ ■ x a ^ where 
xi G X and a, G Z for all z, then the number = Y2iK a i) * s called the bit size of 

the X-representation w g of g. We observe that the size of g as an element of the group T 
depending essentially on the nature of T can substantially differ from the bit size of an 
X-representation of it as well as the bit sizes of two different X-representations of g. In 
what follows we look for the algorithms finding X-representations of g efficiently, i.e. in 
polynomial time in size of g in T and in minimal bit size of its X-representation. 

Representation Problem V(T,X). Let T be a group and X C T be a finite set. 
Given g G (X) presented as an element of T find an X-representation of g efficiently.* 

It should be mentioned that the representation problem consists in finding a certificate 
for the membership problem when the group in question is given by generators. If T is a 
symmetric group of degree n, then both of these problems can be solved in time by 
the sift algorithm (see e.g. .17 )• However, if T = GL n (Z m ) then both of these problem 
are closely related with the discrete logarithm problem (when n — 1, m is a prime and 
X consists of a generator of the multiplicative group of the ring Z m ). The representation 
problem is NP-hard in average in general even if T is a free group of a finite rank [32] • 

To adapt the representation problem to constructing public-key cryptosystems we have 
to describe a trapdoor information providing a polynomial-time solution of this problem. 
A general idea can be explained as follows. Let G < F < T be groups and F = (X'), 
G = (X) for some finite sets X, X' C T. Suppose that both of the problems V(T, X') and 
V(F, X) can be solved efficiently. Then the problem V(T, X) can also be solved within the 
same time whenever using the corresponding algorithms one can find an X'-representation 
and an X-representation of an element from (X) the bit sizes of which are approximately 
the same. In this case one could use the set X' as a trapdoor for the problem P(r,X). 
In the next subsection we realize this idea for T = GL2(Z) and apply it for constructing 
a homomorphic public-key cryptosystem over any nonidentity group given by generators 
and relations. 

2.2. The main construction. Let us define a family of free subgroups of the group 
GL 2 (Z). First we recall that given an integer n > 2 the matrices 



form a basis of a free subgroup of the group GL 2 (Z) (see [TBI P-232]). Next, from the 
proof of Proposition 3.1] it follows that given a nonempty set S C Z the set 




(1) 



X(n,S) = {A~ s B n A s n : seS} 
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is also a basis of a free group G(n,S) C GL 2 (Z). The following statement proved in 
Subsection 12.41 enables us to define a homomorphic public-key cryptosystem with these 
groups. 

Theorem 2.1 Given an integer n > 2 and a finite set S C Z one can /jnd t/ie X(n, s)- 
representation w g of an arbitrary matrix g G G(n, S) in polynomial time in l(n) + l(S) + 

l(Wg). 

Let H = (X; 1Z) be a nontrivial group given by the set X of at least two 1 generators 
and the set 1Z of relations. Choose randomly n > 2, sets S C Z, i? C W 7 ^ such that 
|>S| = \R\ = \X\, and bijections h i— > x^, /ih from A" to X(n, S 1 ) and to i? respectively. 
Set 

X = X(n, 5, R) = {x h r h : h G X}, G = (X). 

Since F = (X(n, S)) is a free group on X(n,S), there exists a uniquely determined 
epimomorphism : F — > if coinciding with J^ 1 on W^(n,s) where : W 7 ^ — >■ Wx(n.S) is 
a bijection taking hi ■ ■ ■ h k to x/^ • • -Xh k - After identifying W 7 ^ with the subset of Wx we 
have F = tp-^H) D {fx{X U R)) D (X) = G. Thus G < F < GL 2 (Z) and the mapping 

f:G^H, g^v{g) (2) 

is a homomorphism such that /(a^r/J = ^{x^^i^h) = h ■ 1 = h for all /i 6 Af. Now 
we can define a homomorphic public- key cryptosystem 5 (H, n, S) over the group H with 
respect to the homomorphism (J2J) as follows: 

Public Key: the subset X = X(n, S, R) of GL 2 (Z) where R is a random subset of W-ji, 
and a bijection ^ — > X, h \— > x^r^. 

Secret Key: the pair (n,S). 

Encryption: given a plaintext h & H encrypt as follows: 

Step 1. Hh = hi---h k with hi e X for all i, set A4 = {x hl r hl ) ■ ■ ■ (x hk r hk ). 
Step 2. Find an ^-representation u> r = h\ - ■ ■ h' m of a random r G H 7 ^. Set 

M r = X fe / • ■ -Xft^. 

Step 3. Output the matrix M,..\ //, G GL 2 (Z) as the ciphertext of /i. 

Decryption: given a cyphertext g £ G decrypt as follows. 

1 This is rather technical restriction because even H is a cycle group one can choose as X nonminimal 
set of generators. 



6 



Step 1. Find the X(n, S^-representation w g = g\- • • gh of the element g (Theo- 
rem |2HJ. 

Step 2. Output fx l {gi) ' " " fx 1 (9k) as the plaintext of g. 

The correctness of the encryption and decryption algorithms immediately follows from 
the definitions. Moreover, by Theorem 12. II the decryption of the cryptosystem S(H,n, S) 
can be done within time (l(ri) + l(S) + l^Wg))) ^. 

2.3. Remarks on security of the cryptosystem S(H,n, S). First, we observe 
that the decryption problem, i.e. the problem of computing f(g) for an element g G G, 
is polynomial-time reducible to the representation problem 7 : '(GL 2 (Z), X). Thus the 
difficulty of the direct way to break S (H, n, S) is based on that of the special case of this 
representation problem with the promise X C G(n, S): 

Problem 2.2 Given a matrix belonging to a group G < G(n,S) find a short X- 
representation of it under the assumption that such a representation does exist. 

One can make this problem even harder using for instance the Nielsen transformations 
[T5] to replace X(n, S) by other set of generators not necessarily being a basis of the group 
G(n, S) (these transformations consist in succesive replacing elements of generating set 
for their inverses or products). A less direct way to break the cryptosystem S(H,n,S) 
could consist in finding the number n and the set X, in other words, the secret key. This 
seems to be difficult. 

Finally, it should be remarked that the cryptosystem S(H, n, S) can be transformed 
to the homomorphic public- key cryptosystem in the sense of [T3|. To do this it suffices to 
find a set A and a trapdoor function P : A — > G such that im(P) = ker(/), i.e. to get the 
exact sequence 

A-^G^H — >{!}. 

However, this can be done by choosing A to be the set Wk where K = {hh'(hh')^ 1 : 
h, hi G H}, and P — fx (we make use the fact that in this setting the group H has to be 
small). We do not dwell on details since we do not stick here with the definition of [T%] . 

2.4. Proof of Theorem 12.11 The proof of the theorem is based on lemmas 12.31 
and 12.41 In the first of them the free group JF on X is considered as the subset of the set 
Wx'- any element of T is an irreducible word of Wx and the identity of T is the empty 
word lx G Wx- The length of the A'-representation of an element g G T is denoted 
by \g\ . For an arbitrary word w G Wx we denote by w the element of T corresponding 
to w. Below we will use an observation from the proof of fHl Proposition 3.1] that if 
X = {A, B} and S C Z is a nonempty finite set, then the elements A~ S BA S , sGS, form 
a basis of a free subgroup of the group T. 
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Lemma 2.3 Let J 7 be a free group of rank 2 on X = {A, B} and G be a subgroup of 
T generated by the set X = {A~ S BA S : s G S} where S C Z is a nonempty finite set. 
Then given an element g E T one can test whether g EG or not in time (1(g) + l(S))°^ 
where 1(g) is the bit size of the X -representation of g; moreover, if g E G, then the 
X -representation w g can be found within the same time and 1(g) < 3l(w g )l(S). 

Proof. To prove the lemma let us consider the following algorithm which for a given 
element g E T by recursion on the length \g\ of its ^-representation produces a certain 
pair (ig,w g ) E {0,1} x Wx such that g E G if and only if i g — 1 and w g is the X- 
representation of g. 

Step 1. If g = lx, then output (1, lx)- Otherwise, let u = A a B b A c • • • for suitable 
a,b,c, . . . E Z. 

Step 2. If either —a E~ S or (— a,b) E S x {0}, then output (0, lx)- Otherwise set 
u = A a+C .. .. 

Step 3. Recursively find (ih,Wh) where h = u. If i h = 0, then output (i h ,Wh)- 
Step 4. Output (1, w g ) where w g = vwh with v = A a B b A~ a . ■ 

We observe that each recursive call at Step 3 is applied to the element h E T with 
\h\ < \g\, so the number of recursive calls is at most \g\ and each step can be implemented 
in time 0(l(g) + l(S)). Thus the running time of the algorithm is (1(g) + l(S)) 0<yl \ Next, 
due to the obvious inequality 1(c) < l(a + c) + 1(a) we have 

1(g) = l(A a B h A c ■■■)< 21(a) + 1(b) + l(A a+c . . .) = 21(a) + 1(b) + 1(h). (3) 

Since w g = vwh and v = (A a BA~ a ) b we get that l(w g ) = 1(b) + l(wh)- On the other hand, 
1(h) < 3l(wh)l(S) by the recursive hypothesis. Thus from (jSJ) it follows that 

1(g) < 21(a) + 1(b) + 3l(w h )l(S) = 21(a) + 1(b) + 3(l(w g ) - l(b))l(S) < 3l(w g )l(S) 

(we use that 1(b) ^ and max{/(a), 1(b)} < l(S)). This proves the required inequality 
1(g) < 3l{w g )l(S). 

To verify the correctness of the algorithm we need to show first that g E G if and 
only if i g = 1, and second that if i g = 1, then w g is the X-representation of g. Using 
induction on \g\ suppose that g E G\ {lx}- We observe that the first term of an arbitrary 
irreducible word w E Wx such that w = w' for some w' E Wx, is of the form A a where 
—a E S. So the output of Step 2 is correct. Moreover, from the definition of v at Step 4 
it follows that v E X and so g E G iff h E G. Besides, if the algorithm terminates at 
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Step 3 or 4, then i g = i h and by the induction hypothesis Wh is the X-representation of h 
iff %h — 1. Thus the output at Step 3 is correct and w g G Wx- Since obviously 



g = vu = vu = vw h = vwh = w g , 

we conclude that w g at Step 4 is the X-representation of g and the output of this step is 
correct.* 

In the next lemma we deal with the subgroup of GL 2 (Z) generated by the set X n = 
{A n , B n } (see (JTJ)). Since this group is a free group on X n , any element M of it has the 
uniquely determined X n -representation coinciding with the irreducible word belonging to 
W Xn . 

Lemma 2.4 Let G = (X n ) for some n > 2. Then given matrix M G GL 2 (Z) belonging 
to G, the X n -representation of M can be found in time (l(n) + Z) 01 ^ where I is the bit 
size this representation. 

Proof. The algorithm below is similar to the one in [2H] which yields a representation of a 
matrix with respect to a different (more standard in the theory of modular groups) family 
of generator, also in one can find the basic facts on the group SL^Z) used in the 
proof below. We will employ the classical action of the group GL^Z) on the projective 
line (the Riemannian sphere) C* = CU{oo} by means of linear fractional transformations 

z i— > Mz = (M u z + M 12 )/(M 2l z + M 22 ) 

where M = (M^) is a matrix of GL 2 (Z) (the kernel of this action is of order 2 and equal 
the subgroup of all diagonal matrices of GL 2 (Z); the quotient group with respect to this 
subgroup is the projective group PGL 2 (Z)). We make use of the following key observation: 
if n > 2, then any power A k of the matrix A = A n with nonzero k G Z maps the unit 
open disk DcC centered at strictly inside D c = C* — D, and reciprocately any power 
B k of the matrix B = B n maps D c strictly inside D. 2 A straightforward computation 
shows that given z G D U D c there could exist at most one integer k = k(z) such that 

(z G D c A A k z G D) V (z G D A B k z G D c ). 

Below we set C(z) = A k if z G D c , and C(z) = B k if z G D, provided that k does exist. In 
the following algorithm we suppose that / is the identity matrix, and z G D and z' G D c 
are arbitrary fixed complex numbers of small sizes, say z — 1/2 and z' — 2. 

Step 1. Set (L, U) := (M, M) and (u,u') := (lx n ,lxj- 

2 This observation entails that G is the free group on {A,B} (see Proposition 12.2]). 
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Step 2. If L = I, then output u; if V = I, then output v! . 



Step 3. Set (u,u') := (C~Y (C")~V) (in W Xn x W^J, and (L, L') := (CL,C'L') 
(in GL 2 (Z) x GL 2 (Z)), where C = C(Lz), C = C(L'z'). Go to Step 2m 



of a matrix M G G where m is a nonnegative integer and a*, fej G Z, z G m, such that 
Oi for z 7^ 1, 6j ^ for i ^ m. If M — I (m = 0), then the statement is obvious (see 
Step 1). Let us show that if b m = (resp. 6 m ^ 0), then after m iterations of the loop at 
Steps 2 and 3 the matrix L (resp. L') becomes the identity matrix and the word u (resp. 
u') is the X n -representation of M. Indeed, let b m = (the case b m ^ is considered 
similarly). Then it is easy to see that Mz G D iff a± = 0. So after the first iteration 
according to Step 3 we have 



whence u = A ai if Mz G D c and u = B bl if Mz G D. Since the number of factors in 
the ^-representation of the matrix L after Step 3 equals m — 1, the required statement 
follows by induction on this number. 

Let us estimate the running time of the algorithm. We observe that from the previous 
paragraph it follows that the algorithm terminates after m iterations. So to complete the 
proof it suffices to note that the sizes of all the intermediate matrices L and V do not 
exceed 0{ml{n) + /).■ 

Let us complete the proof of Theorem 12.11 For an element g G G(n, S) by means of 
Lemma l2~H one can find first its X n -representation within time (l(n) + l)°^ where I = 1(g) 
is the bit-size of this representation. Subsequently applying Lemma 12.31 one can find an 
X(n, 5')-representation w g of g within time (I + /(S 1 )) ^ < (l(w g ) + l^S)) ^. 

3 Homomorphic cryptosystems over finite rings 

Let R be a finite commutative ring with identity and G be a group. Then it is easy to 
see that any homomorphism ip : G — > R x where R x is the multiplicative group of R, can 
be extended to the homomorphism (p' : R[G] — > R[R X ] of the group rings taking ^2 g r g g 
to Yl g r g l P(9)- O n the other hand, the natural injection R x — > R can be extended to the 
ring homomorphism if" : R[R X ] — > R. We will say that the homomorphism / = <p' o 



Let us prove that the above algorithm finds the X n -representation 

M = A ai B bl ■ ■ ■ A am B bm 



(4) 






(5) 
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is induced by the homomorphism ip. From the computational point of view the homomor- 
phisms p> and / are closely related; more exactly the problem of finding <p(g) for g G G 
is polynomial time equivalent to the problem of finding f(g) for g G G (here we suppose 
the elements of the group ring R[G] are given by i?-linear combinations of elements of G). 
This immediately implies the following statement. 

Lemma 3.1 Let R be a finite commutative ring with identity such that there exists a 
homomorphic public-key cryptosystem over the group R x with respect to an epimorphism 
ip : G —>■ R x for some group G. Then one can design a homomorphic public-key cryp- 
tosystem over the ring R. Moreover, the problems of breaking these two systems are 
polynomial-time equivalent.* 

Proof of Theorem 11.21 We recall that the ring R being a commutative one is 
isomorphic to a direct sum of local rings (see |19j). If among these local rings there is 
at least one not isomorphic to Z 2 then the multiplicative group of this ring is nontrivial 
and hence \R X \ ^ 1. Thus by Lemma 13.11 it suffices to find a homomorphic public-key 
cryptosystem over the group R x . To do this we observe that due to the commutativity of 
the ring R, we have R x = Hi x • • • x Hj. where Hi is a cyclic group, «G [k\. So from f3J 
Section 2] it follows that for each % there exists a homomorphic public-key cryptosystem 
Si over the group Hi with respect to an appropriate epimorphism ipi : Gj — > Hi with 
Gi being a finite Abelian group. Set G — G\ x ■ • • x Gk and p to be the epimorphism 
G — » H induced by the epimorphisms pi, . . . , p>k- Now, using cryptosystems Si, i G [k], 
one can form a homomorphic public-key cryptosystem over the group R x with respect to 
the epimorphism (p : G — > R x . Theorem is proved.* 

Let R and A are finite rings as in Theorem 11.21 Then from the proof of this theorem 
it follows that the size of A is double exponential in the size of the ring R. Indeed, A is 
the group ring of the group G over R, whence \A\ = (Gl'^', \G\ = \Gi\ ■ ■ ■ \Gk\ and \Gi\ 
is exponential in \Hi\ (see construction in [TU Section 2]). We will see below that under 
the natural assumption on the presentation of A it is difficult to reduce the size of A 
preserving the secrecy of the homomorphism / : A — > R (this extends the observation 
from [S]). 

Let A be a finite ring of characteristic m (i.e. the minimal integer which vanishes in 
A) and Vim) be the set of the highest prime powers dividing m. Then it is easy to see 
that 

A= A q (6) 

qeV(m) 

where A q = q'A with q' = m/q, is an ideal of A considered as a finite ring of character- 
istic q with the identity q'l. For each q the ring A q is a linear space of the dimension 
n q = log p \Aq\ over the finite field ¥ p of the prime order p dividing q. This implies that A 
can be considered as a subring of the matrix ring Mat n (Z m ) where n = n q . To find a 
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basis of a linear space could be not easy a priori if a procedure of testing linear dependency 
is not known, that is why the efficiency of embedding of A into a matrix ring depends on 
the way how A is given. Now suppose that the size of A is at most exponential in \R\. 
Then the dimension n q is polynomial in \R\ and hence n, logm are less than \R\°^\ In 
the following theorem we use a presentation of a ring homomorphism which is analogous 
to the presentation of a group homomorphism from [14]. 

Theorem 3.2 Let R be a finite ring presented by the list of elements together with the 
Cayley tables of its additive and multiplicative groups and A be a subring of the ring 
Mat n (Z m ) where max{n, logm} < l-R^ 1 ). Suppose that f : A — > R is a homomorphism 
given by generators of the ideal ker ■(/) , a transversal X ofker(f) in A and the restriction 
of f to X. Then given a G A the element /(a) can be found in polynomial time in \R\. 

Proof. Using the decomposition J6J) one can reduce the problem of computing f(a), 
a G A, in polynomial time to |"P(m)| problems of computing f q (a q ), q G V(m), where 
a q = aq' G A q and f q : A q — > R q is the homomorphism induced by /. Thus without loss 
of generality we assume that the characteristic of A equals p d for a prime p and d > 1. 
Since d < logm < l-R^ 1 ) one can find an embedding A — > Mat nc j(Zp) in time 
Then the ideal ker(/) becomes a linear space over a finite field ¥ p of dimension at most 
(nd) 2 . Using linear algebra over ¥ p a linear basis of this space can be found within the 
same time. This enables us to solve efficiently whether or not an arbitrary element a £ A 
belongs to ker(/). 

Let now a G A. Then there exists the uniquely determined element x a G X such that 
x a — a G ker(/). Moreover, from the previous paragraph it follows that this element can 
be found in time |i?| ^ 1 - ) (it suffices to test for each x G X whether or not x — a G ker(/)). 
Since f(a) = f(a + x a — a) = f(x a ) and the element f(x a ) is known as the part of 
presentation of /, the element f(a) can be found within the same time.a 
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